Members of the public have been writing to the media lambasting SingHealth group CEO Ivy Ng over the recent SingHealth cyber attack incident. Two of the letters were published on ST Forum today (12 Jan).
Mr Danny Chow, in particular, was not happy with the indifferent attitude displayed by Ivy Ng over the COI report on the incident.
“The almost blase tone of the SingHealth group chief executive Ivy Ng comment to the Committee of Inquiry (COI) report was disappointing,” Mr Chow wrote.
She was quoted saying, “Since the incident, we have reinforced the culture of personal ownership of cyber defence so that every staff is empowered to identify and report cyber-security threats.”
Mr Chow commented that since the cyber breach last year, little has been said by the board or the CEO.
“Doesn’t the release of the report warrant a press conference, so that the top management can field questions? It is disconcerting that, notwithstanding public pronouncements, no one at the top appears to be taking responsibility, even with the damning COI statement that ‘the IT cyber-security team could not even recognise a security incident’,” he said.
“The public deserves a more substantive response from those at the top, with an outline of the specifics of the steps that have been taken since the reported incident.”
Complacency of SingHealth’s management
Another member of the public, Gabriel Cheng Kian Tiong, wrote, “The COI’s findings can be summed up in two observations – complacency on the part of management, which believed that SingHealth was well-protected against cyber attacks, and incompetence by the staff tasked with cyber security, who failed to do their jobs properly.
“There seems to be a tendency for official statements, whether from government agencies or the private sector, to use words that make a situation seem less serious than it actually is,” he noted. “The COI’s report is one such example.”
“Yes, harsh words hurt and nobody likes to hear or read negative news reports. But the only way for organisations and even the country to improve is to accept the hard truth and learn real lessons from it,” he added.
It was earlier reported that “unusual activity” was already detected in SingHealth’s servers as early as 4 July 2018. As of 10 July 2018, the Integrated Health Information System (IHiS) had already confirmed that a cyber attack had taken place.
A “war room” was later set up on 10 Jul with the matter escalated to upper management, MOH, the SingHealth, and the Cyber Security Agency (CSA).
However, on 13 Jul 2018, a photo published on ST shows that SingHealth CEO Ivy Ng, who is the wife of Minister for Defense Ng Eng Hen, was accompanying her husband in France the previous day (12 Jul).
She was seen taking a photo with her husband Ng Eng Hen, France’s Secretary of State Genevieve Darrieussecq, Singapore’s Chief of Air Force Mervyn Tan and family members of RSAF 150 Squadron at Cazaux Air Base in France on 12 Jul 2018. Behind them is the commemorative tail flash of an M-346 aircraft unveiled to mark the 20th year celebration of the RSAF detachment at Cazaux Air Base.
Looking at the timeline, it is clear that as of 12 July 2018, she was already aware of the security breach in SingHealth’s system. Yet, she decided to accompany her husband on a MINDEF mission to celebrate with the France’s Secretary of State at Cazaux Air Base instead of remaining in Singapore with her SingHealth staff to deal with the cyber breach incident.
